fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Size

90KB
MD5

b9c41252b67d5c85b082242630a38f33
SHA1

51f1abcbe2c613908129442e984b6e63a445b4be
SHA256

fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911
SHA512

5ae618c668dd55f207fd399d1f721ff585de039038be127b20b9920853738f2fc633808ae57f28a2022e8dd3ff307118f57edab9d4cd84aeeb3cf5b053be85a4
SSDEEP

768:Qvw9816vhKQLroi4/wQRNrfrunMxVFA3b7glw5:YEGh0oil2unMxVS3Hgk

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}\stubpath = "C:\\Windows\\{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe"	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}\stubpath = "C:\\Windows\\{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe"	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18CC8F54-D296-45a1-B0DA-595818FE0151}\stubpath = "C:\\Windows\\{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe"	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071AEBD9-930F-4b49-83DA-4F243E8DFF3A}	{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}\stubpath = "C:\\Windows\\{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe"	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D299BD14-5DFC-4591-AF1B-294DE57E7F06}\stubpath = "C:\\Windows\\{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe"	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D91A9ACA-B78C-449a-86B7-9DF23468C345}	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071AEBD9-930F-4b49-83DA-4F243E8DFF3A}\stubpath = "C:\\Windows\\{071AEBD9-930F-4b49-83DA-4F243E8DFF3A}.exe"	{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D299BD14-5DFC-4591-AF1B-294DE57E7F06}	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}\stubpath = "C:\\Windows\\{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe"	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}\stubpath = "C:\\Windows\\{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe"	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D91A9ACA-B78C-449a-86B7-9DF23468C345}\stubpath = "C:\\Windows\\{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe"	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18CC8F54-D296-45a1-B0DA-595818FE0151}	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe

Deletes itself 1 IoCs

pid	Process
2728	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe
2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe
2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe
2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe
2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe
1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe
1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe
1688	{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe
2708	{071AEBD9-930F-4b49-83DA-4F243E8DFF3A}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe
File created	C:\Windows\{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe
File created	C:\Windows\{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe
File created	C:\Windows\{071AEBD9-930F-4b49-83DA-4F243E8DFF3A}.exe	{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe
File created	C:\Windows\{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
File created	C:\Windows\{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe
File created	C:\Windows\{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe
File created	C:\Windows\{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe
File created	C:\Windows\{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{071AEBD9-930F-4b49-83DA-4F243E8DFF3A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2140	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
Token: SeIncBasePriorityPrivilege	2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe
Token: SeIncBasePriorityPrivilege	2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe
Token: SeIncBasePriorityPrivilege	2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe
Token: SeIncBasePriorityPrivilege	2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe
Token: SeIncBasePriorityPrivilege	2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe
Token: SeIncBasePriorityPrivilege	1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe
Token: SeIncBasePriorityPrivilege	1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe
Token: SeIncBasePriorityPrivilege	1688	{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2028	2140	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	31
PID 2140 wrote to memory of 2028	2140	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	31
PID 2140 wrote to memory of 2028	2140	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	31
PID 2140 wrote to memory of 2028	2140	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	31
PID 2140 wrote to memory of 2728	2140	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	32
PID 2140 wrote to memory of 2728	2140	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	32
PID 2140 wrote to memory of 2728	2140	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	32
PID 2140 wrote to memory of 2728	2140	fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe	32
PID 2028 wrote to memory of 2520	2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe	33
PID 2028 wrote to memory of 2520	2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe	33
PID 2028 wrote to memory of 2520	2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe	33
PID 2028 wrote to memory of 2520	2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe	33
PID 2028 wrote to memory of 2792	2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe	34
PID 2028 wrote to memory of 2792	2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe	34
PID 2028 wrote to memory of 2792	2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe	34
PID 2028 wrote to memory of 2792	2028	{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe	34
PID 2520 wrote to memory of 2796	2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe	35
PID 2520 wrote to memory of 2796	2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe	35
PID 2520 wrote to memory of 2796	2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe	35
PID 2520 wrote to memory of 2796	2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe	35
PID 2520 wrote to memory of 2896	2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe	36
PID 2520 wrote to memory of 2896	2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe	36
PID 2520 wrote to memory of 2896	2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe	36
PID 2520 wrote to memory of 2896	2520	{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe	36
PID 2796 wrote to memory of 2920	2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe	37
PID 2796 wrote to memory of 2920	2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe	37
PID 2796 wrote to memory of 2920	2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe	37
PID 2796 wrote to memory of 2920	2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe	37
PID 2796 wrote to memory of 2276	2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe	38
PID 2796 wrote to memory of 2276	2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe	38
PID 2796 wrote to memory of 2276	2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe	38
PID 2796 wrote to memory of 2276	2796	{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe	38
PID 2920 wrote to memory of 2660	2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe	39
PID 2920 wrote to memory of 2660	2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe	39
PID 2920 wrote to memory of 2660	2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe	39
PID 2920 wrote to memory of 2660	2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe	39
PID 2920 wrote to memory of 2720	2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe	40
PID 2920 wrote to memory of 2720	2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe	40
PID 2920 wrote to memory of 2720	2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe	40
PID 2920 wrote to memory of 2720	2920	{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe	40
PID 2660 wrote to memory of 1040	2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe	41
PID 2660 wrote to memory of 1040	2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe	41
PID 2660 wrote to memory of 1040	2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe	41
PID 2660 wrote to memory of 1040	2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe	41
PID 2660 wrote to memory of 1952	2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe	42
PID 2660 wrote to memory of 1952	2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe	42
PID 2660 wrote to memory of 1952	2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe	42
PID 2660 wrote to memory of 1952	2660	{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe	42
PID 1040 wrote to memory of 1728	1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe	43
PID 1040 wrote to memory of 1728	1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe	43
PID 1040 wrote to memory of 1728	1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe	43
PID 1040 wrote to memory of 1728	1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe	43
PID 1040 wrote to memory of 1512	1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe	44
PID 1040 wrote to memory of 1512	1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe	44
PID 1040 wrote to memory of 1512	1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe	44
PID 1040 wrote to memory of 1512	1040	{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe	44
PID 1728 wrote to memory of 1688	1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe	45
PID 1728 wrote to memory of 1688	1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe	45
PID 1728 wrote to memory of 1688	1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe	45
PID 1728 wrote to memory of 1688	1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe	45
PID 1728 wrote to memory of 1292	1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe	46
PID 1728 wrote to memory of 1292	1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe	46
PID 1728 wrote to memory of 1292	1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe	46
PID 1728 wrote to memory of 1292	1728	{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe	46

C:\Users\Admin\AppData\Local\Temp\fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe
"C:\Users\Admin\AppData\Local\Temp\fa9f670b10e850420a355b92a998bc03af1b28d31eb0e5abd3bcc477496b3911.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe
  C:\Windows\{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe
    C:\Windows\{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe
      C:\Windows\{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe
        
        C:\Windows\{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe
        
        C:\Windows\{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe
        
        C:\Windows\{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe
        
        C:\Windows\{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe
        
        C:\Windows\{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\{071AEBD9-930F-4b49-83DA-4F243E8DFF3A}.exe
        
        C:\Windows\{071AEBD9-930F-4b49-83DA-4F243E8DFF3A}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87FC0~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18CC8~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CAE1~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D91A9~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D299B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9F44~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C5ACB~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{17FA7~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FA9F67~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{071AEBD9-930F-4b49-83DA-4F243E8DFF3A}.exe

Filesize
90KB

MD5
e867e89f7d4b7886043e9c10c0f4a19e

SHA1
4183e126f3079b73f624bc5027c830fd7e0989f2

SHA256
958386d4a678fd426e5596fbd390867f12f4d6d2b1fc7baae7fc988450b30c3f

SHA512
4cc0ece4dda01622786685adb2caf2ac8bab23283d24923e1a3b2d0e14dddd8ab0793e1511cd27165c5dfc87e67f964b82c63ea2007cb8e64a8dd72f3cd4edac

Download Submit
C:\Windows\{17FA70FA-C6BB-4318-856C-2CE6DB1CEF97}.exe

Filesize
90KB

MD5
34e9cf420ed4797b13d723c22830a47a

SHA1
9231a900cefb539e3c968b32a15d4ca4deab06f7

SHA256
01094dfa59a30bc36ebd0bf7225d6b7a5f6a48bf6fd1b13f3071117ed9cea1de

SHA512
7a1005d313c7a79aca81397580038c1d31cd78875046b1e4dc9b3e851c90e04d3532e566199c6fa5d874c21d5808c0419690272cd58716c2da36e2f142b7a3b1

Download Submit
C:\Windows\{18CC8F54-D296-45a1-B0DA-595818FE0151}.exe

Filesize
90KB

MD5
3d4e9f2258f4838e1fb12f1feae677f0

SHA1
52a960f2069625d52a7516bb04e2b339c7996545

SHA256
ccfd892d42ec3e2734bd9413e3557fa4ed7a786a350f1856a488280625f63431

SHA512
c52a55d2fa66997a835ca20b941e6767b3c895eae4cdac5d39f06e1badfe776d7bb5d622fd6b0207ecf268ea0056cdcbad2bef10873882166f5b70b48c6013aa

Download Submit
C:\Windows\{87FC0BCC-BA74-4ea7-A2BC-342DDE44EA78}.exe

Filesize
90KB

MD5
fa6bc80bdd04112e31e3bca199e04fbf

SHA1
556bde6e2e14eb3cfd548c3fccc3d2c394bee1ad

SHA256
6c552139fc77e8b7b4ba6a24137e1d045746b9cee34f1bac4be6af7ffe18ddb3

SHA512
bbc9790b66ec71ad3d621e376d93d9dbebc8b32bc7846750f9f8398317920e5276923523148b7c17c77da7b71105b67f71092db95b6f91966e6c3aa1791fac92

Download Submit
C:\Windows\{8CAE1294-46F2-42e4-ABE3-39040FB5CE0D}.exe

Filesize
90KB

MD5
d4b5a7d30d295223eec995dadd9ac3d0

SHA1
6124d68226a07a60844b47dfddb48530527489f1

SHA256
ba6a93c06c4867d0987a8aefe3fd5d827f2df39212a66b4b7eeecdaa1ee77f00

SHA512
57ba4e30551eab50cef5268ef73535b7323c5849bd31d6734a5a22678dee5edcc37b3e81a1e1668867964fe1a8c2b40cef8f341446dd1bae67303d1c37847328

Download Submit
C:\Windows\{A9F44AD8-9BD7-4ea8-882E-DEC90440AF55}.exe

Filesize
90KB

MD5
f7ceff3f1114249a823f1f4ce0592dec

SHA1
e2e1f6e650a29ca64dd8fe394f7022780d70c730

SHA256
51e78d022aa122a460c9da5860657bc0eea8f7484744e5b9a1daa0d9ae465773

SHA512
e2a92174107f2de83e8e14f98ac0e8e661abf9016ed6db0d0fbc34c50f0233f7e801fa492b4e777088e2d8cb2254f4bf042da1b742b3a318f49b83cb0042bcdd

Download Submit
C:\Windows\{C5ACBAF3-76C9-4d98-9A50-95E6C9F9BB71}.exe

Filesize
90KB

MD5
74db988c5084b8f311d1d5ffc091ab30

SHA1
78e78d4d366cb2503c58bcd8d77847a77101abff

SHA256
78e66ab5dceb4a1c2bf672a54d52a91f1a8995b890b929b0d86bbfeeb09c7119

SHA512
b976fc0821d63f155cdd37605c5bbebe7b1ce4f0df0bfdc1af0486e5f06dc490bfb293fdc299c92d6b9224d43418288a416ae8290f8fbb0e0523826d7198a6b4

Download Submit
C:\Windows\{D299BD14-5DFC-4591-AF1B-294DE57E7F06}.exe

Filesize
90KB

MD5
ecd0493226c0d16c1a0b70ef0bded7f5

SHA1
5dd0091ae672ed150f485670cd7d4ddd09575f2e

SHA256
5ad679a131d9761bddde08b73c98997ec26cf401fb9c4b2cc758e14412d5ced4

SHA512
aa6a9bba6cda72c996854ddc3c6723cdfad499fc00b1431a9738ac81e9c125ced4c56e5df9104376221dedcc8df6bb3a87bc0e76831a9b8af231285ad168b96a

Download Submit
C:\Windows\{D91A9ACA-B78C-449a-86B7-9DF23468C345}.exe

Filesize
90KB

MD5
ca3c92baff08629269e8b6d8ab1282d6

SHA1
98da6750030f6e7f6fb2f31c1e4eaf52ff1a3325

SHA256
262a56281d4a105048d837203cbd51fe50d6b07612586f2b68d9dfd0a9cecc0a

SHA512
6c51b2876eec9a5143d9fa67ea1064000711d89d7eb98d6cf73b74788501bcb47e9531665b5e880bccae22374b6f737e8dabd23976eb60d3097e67a1bfae83a4

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads